Last June 13, Microsoft released its security update for Cumulative Security Update for Internet Explorer (2699988) (CVE-2012-1875), which is exploited by a malware detected by Trend Micro as JS_DLOADER.SMGA. The attack code for this vulnerability has also been made public. There are few cases where that attack code is released simultaneously with Microsoft’s security update. In general, malware exploiting such vulnerabilities don’t show up quickly. Since the affected software is Internet Explorer, this attack has significant impact among millions of IE8 users.

By exploiting CVE-2012-1875, JS_DLOADER.SMGA poses a bigger threat to users as it also downloads the backdoor BKDR_AGENT.BCSG, disguised as a .JPG file. This backdoor is capable of communicating with a command-and-control (C&C) server via port 80. In effect, this communication compromises an infected system’s security, making it exposed to further infection.

How JS_DLOADER.SMGA Exploits CVE-2012-1875

I’m sharing my analysis of JS_DLOADER.SMGA to inform users of the key issue in CVE-2012-1875, as well as introducing our solution.

Based on my analysis, the noteworthy routines of JS_DLOADER.SMGA include:

Affected systems check. Unlike exploit document files, this malicious JavaScript gathers OS versions and language used in the infected systems by using a simple script.

Return-Oriented Programming (ROP). Though JS_DLOADER.SMGA successfully exploits CVE-2012-1875, its code cannot jump to the specified Heap Spray due to Data Execution Prevention (DEP) found on affected applications such as IE8, IE9. To bypass DEP, this exploit uses return-oriented programming (ROP) method to check system environment like OS and languages. It uses a specific script in order to determine the loaded modules in memory at different addresses, which are dependent on OS and language information. Then, based on the confirmed system information, it generates specific ROP code.

Technical Analysis of JS_DLOADER.SMGA

To show how the vulnerability works, I attempted to delete the Heap Spray module and execute it.
Below is the result of this attempt:

Based on the screenshot above, we can now confirm the vulnerability is on [eax+70h], since it points to ‘????????’, which is an unknown address.

So where does [eax+70h] point to? The value comes from the following code.

This means that the pointer to the vtable is in the object and is retrieved from the object.

It then checks the eax([ecx]) by using IDA Pro. Its ecx points to an object by the virtual function “mshtml!CBodyElement::`vftable'”, shown below:

Let’s check [eax+70h] points to which vtale.

The address could be calculated by adding [70h*4] from “mshtml!CBodyElement::`vftable’ “.
It point to the edx result, which shows “mshtml!CElement::SecurityContext”.

In our test, however, it points to the wrong address (the deleted object) due to JS_DLOADER.SMGA’s successful exploit of CVE-2012-1875 vulnerability, which resulted to the error.

Let’s execute JS_DLOADER.SMGA to confirm its payload. To confirm the usage of CVE-2012-1875 vulnerability, we modified some codes of JS_DLOADER.SMGA.

The succeeding screenshots below show the specific code in JS_DLOADER.SMGA that exploits the said vulnerability:

CElement::GetAtomTable also passed the object pointer to CElement::Doc.

Because of JS_DLOADER.SMGA’s successful exploit of CVE-2012-1875 vulnerability, Ecx now points to the deleted object, which points to the heap-sprayed area (0x0c0c0c0c).Thus, [eax+70h] points to the heap area (0xc0c0c7c), which is for ROP module instead of calling mshtml!CElement::SecurityContext. The 0x0c0c0c7c ROP module, which has been started on 0x0c0c0c0c, is executed at CElement::Doc and jumps to iertutil!SettingStore::s_rgKeyTree+0x5a0.

Now, let’s look at the heap area that has been allocated by JS_DLOADER.SMGA.

By using Windbg we could confirm the heap sprayed areas .97.98% of these allocations have 80,000 size and 1c2 allocation.

Let’s check the heap spray module in JS_DLOADER.SMGA. As it loops 0x1c2 times, it will then create 1c2 heap allocation.

When we’ve checked the area, which has been heap spread, it point to the padding module (deadbee1 etc) followed by 0x90(NOP) and most other places.

JS_DLOADER.SMGA refers to deleted objects by using specially-crafted script so that it can successfully exploit CVE-2012-1875. Then, the inserted code Padding+ROP+Shellcode+Padding is executed in the heap sprayed area.

Bypassing Data Execution Prevention (DEP) IE8 and IE9

DEP is crafted to prevent any code to be executed in the non-executable section. JS_DLOADER.SMGA does not have permission to execute, rather it has the permission to read and write in the heap spray area by exploiting CVE-2012-1875.

To know how JS_DLOADER.SMGA successfully controls ROP code, let’s check the right of Heap sprayed area. The heap sprayed area has only RW( Read/Write). It means it is impossible to jump to the Heap Sprayed area directly.

The technique to bypass DEP is already in public. In this case, JS_DLOADER.SMGA controls its related codes by VirutualAlloc and change the attribution in the heap-sprayed area by putting “0x40”, which allows to execute, read, and write into the parameter “flprotect”.

Let’s check heap sprayed area which will jump after bypassing DEP. The heap area has a RWX (Read/Write/Execution) right by calling VirtualAlloc.

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.